Monthly Archives: August 2016

US-EU-Privacy-ShieldGoogle has become the latest American tech giant to sign on to the US-EU Privacy Shield. “We are committed to applying the protections of the Privacy Shield to personal data transferred between Europe and the United States,” Google’s Caroline Atkinson, head of Global Public Policy, noted in a blog. “As a company operating on both sides of the Atlantic, we welcome the legal certainty the Privacy Shield brings. Restoring trust—in international data flows and in the Transatlantic Digital Agenda—is crucial to continued growth in the digital economy.” Microsoft, Salesforce.com and Workday got on board with the joint initiative between the US Department of Commerce and European Commission earlier this month.

Read more at
http://www.infosecurity-magazine.com/news/google-signs-on-for-useu-privacy/

e-Voting

Threats to our electoral process can come from outside the country or nefarious insiders. Our country needs to be better prepared. After Russian state security personnel were accused of hacking the Democratic National Committee, the possibility of outsiders manipulating the American political process became a reality. With the reliance on computers to collect votes, report results, communicate campaign strategies, and coordinate voter registration activities, the electoral process has new vulnerabilities. In addition, rogue countries aren’t the only threats; insiders are also capable of manipulating election results. Here are six ways that elections can be hacked.

Read more at
http://www.darkreading.com/endpoint/6-ways-to-hack-an-election/a/d-id/1326762?

Mikko_HypponenAt some point in the recent past — he is not sure exactly when — F-Secure’s Chief Research Officer Mikko Hypponen coined the term ‘cyber crime unicorn’. His purpose was to highlight the growing professionalism of cyber criminals; and the term caught on. Now he has asked the question seriously: could a ransomware product actually be a criminal tech unicorn; that is, a start-up business valued at more than $1 billion? In a new article his short answer is No; but that’s only because it would be impossible for the founders to cash-out through the traditional IPO route. By most other yardsticks, cyber crime relates favorably to legal business. Consider one of today’s prime businesses, Uber. According to a Thursday report in Bloomberg, Uber is on course to recording a $2 Billion loss this year following a similar loss last year — and yet its latest valuation is $69 billion. Cyber criminals do not make losses.

Read more at
http://www.securityweek.com/f-secures-mikko-hypponen-talks-cyber-crime-and-cyber-unicorns

NIST-New-Password-RulesIt’s no secret. We’re really bad at passwords. Nevertheless, they aren’t going away any time soon. With so many websites and online applications requiring us to create accounts and think up passwords in a hurry, it’s no wonder so many of us struggle to follow the advice of so-called password security experts. At the same time, the computing power available for password cracking just gets bigger and bigger. OK, so I started with the bad news, but this cloud does have a silver lining. It doesn’t need to be as hard as we make it and the government is here to help. That’s right, the United States National Institute for Standards and Technology (NIST) is formulating new guidelines for password policies to be used in the whole of the US government (the public sector). Why is this important? Because the policies are sensible and a great template for all of us to use within our own organizations and application development programs.

Read more at
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

NSA-Exploits-Cisco-extrabacon-modifiedRecently released NSA exploit from “The Shadow Brokers” leak that affects older versions of Cisco System firewalls can work against newer models as well. Dubbed ExtraBacon, the exploit was restricted to versions 8.4.(4) and earlier versions of Cisco’s Adaptive Security Appliance (ASA) – a line of firewalls designed to protect corporate, government networks and data centers. However, the exploit has now been expanded to 9.2.(4) after researchers from Hungary-based security consultancy SilentSignal  were able to modify the code of ExtraBacon to make it work on a much newer version of Cisco’s ASA software. Both Cisco and Fortinet have confirmed their firewalls are affected by exploits listed in the Shadow Brokers cache that contained a set of “cyber weapons” stolen from the Equation Group.

Read more at
http://thehackernews.com/2016/08/cisco-firewall-hack.html

Cyber security concep with lock.Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide. What’s even worse: Most of those affected Android devices will probably never be patched. Dubbed “Quadrooter,” the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device. The chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones. That’s a very big number. The vulnerabilities have been disclosed by a team of Check Point researchers at the DEF CON 24 security conference in Las Vegas.

SMS-Two-Factor-AuthenticationSMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past. Two-Factor Authentication or 2FA adds an extra step of entering a random passcode sent to you via an SMS or call when you log in to your account as an added layer of protection. For example, if you have 2FA enabled on Gmail, the platform will send a six-digit passcode to your mobile phone every time you sign in to your account. But, the US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns.

Read more at
http://thehackernews.com/2016/07/two-factor-authentication.html

 

TOR-Spying-Nodes

Read more at
http://thehackernews.com/2016/07/tor-deep-web-spying.html

KeySniffer-Wireless-Keyboard-Hacking
Radio-based wireless keyboards and mice that use a special USB dongle to communicate with your PC can expose all your secrets – your passwords, credit card numbers and everything you type. Back in February, researchers from the Internet of things security firm Bastille Networks demonstrated how they could take control of wireless keyboards and mice from several top vendors using so-called MouseJack attacks. The latest findings by the same security firm are even worse.Researchers have discovered a new hacking technique that can allow hackers to take over your wireless keyboard and secretly record every key you press on it. Dubbed KeySniffer, the hack is death for millions of wireless, radio-based keyboards.

Read more at
http://thehackernews.com/2016/07/wireless-keylogger.html

TOR-Exit-nodeAnother blow to the Tor Project: One of the Tor Project’s earliest contributors has decided to quit the project and shut down all of the important Tor nodes under his administration. Lucky Green was part of the Tor Project before the anonymity network was known as TOR. He probably ran one of the first 5 nodes in the TOR network at its inception and managed special nodes inside the anonymity network. However, Green announced last weekend that “it is no longer appropriate” for him to be part of the Tor Project, whether it is financially or by providing computing resources.TOR, also known as The Onion Router , is an anonymity network that makes use of a series of nodes and relays to mask its users’ traffic and hide their identity by disguising IP addresses and origins. The TOR network is used by privacy-conscious people, activists, journalists and users from countries with strict censorship rules.

Hillary-Clinton-Presidential-Campaign-hackedThere’s a lot more to come from the DNC Hack. The Associated Press confirmed yesterday that the computer systems used by Hillary Clinton’s presidential campaign were hacked as part of the recent Democratic National Convention (DNC) hack.

Last week’s email dump containing almost 20,000 emails from top DNC officials was just the beginning, which led DNC Chairwoman Debbie Wasserman Schultz to resign as the group’s leader, as WikiLeaks announced that it was part one of its new Hillary Leaks series.

This suggests WikiLeaks Founder Julian Assange has had his hands on more data from the DNC hack that, according to him, could eventually result in the arrest of Hillary Clinton.

Assange — Wikileaks’ Next Leak will lead to Arrest of Hillary Clinton

In an interview with Robert Preston of ITV last month, Assange made it clear that he hopes to harm Hillary Clinton’s chances from becoming president of the United States, opposing her candidacy on both policies as well as personal grounds.

Read more at
http://thehackernews.com/2016/07/hillary-clinton-hacked.html

CyberGhostIf you get caught using a VPN (Virtual Private Network) in Abu Dhabi, Dubai and the broader of United Arab Emirates (UAE), you could face temporary imprisonment and fines of up to $545,000 (~Dhs2 Million). Yes, you heard that right.

Online Privacy is one of the biggest challenges in today’s interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance. Here VPNs and proxy servers come into Play.

VPNs and proxy servers are being used by many digital activists and protesters, who are living under the most oppressive regimes, to protect their online activity from prying eyes.

However, using VPN or proxy in the UAE could land you into great difficulty

Read more at
http://thehackernews.com/2016/07/vpn-is-illegal-in-uae.html

 

FILE - In this Friday, Jan. 16, 2015 file photo, a man walks past the European police agency Europol in The Hague, Netherlands. The head of European Union police organization Europol said at a meeting on Monday, Feb. 23, 2015 that intelligence and law enforcement agencies across the continent have to co-operate better to fight against the threat of terrorism. (AP Photo/Peter Dejong, File)The European Police agency Europol has joined forces with police and cyber security companies to launch a worldwide initiative to combat and tackle together the exponential growth of Ransomware used by cyber criminals.

Europol announced today the initiative, dubbed NO More Ransom, that has been backed by technology giant Intel, cyber security firm Kaspersky Lab and the Netherlands police, aiming at decreasing an “exponential” rise in Ransomware threat.

Ransomware is a piece of malware that typically locks victim’s device using encryption and demands a fee to decrypt the important data. The estimated number of ransomware victims tripled in the first quarter of this year alone.

Read more at
http://thehackernews.com/2016/07/ransomware-decrypt-tool.html

Lastpass

Password managers seem like a great idea, given rampant password reuse, poor abilities to create strong passwords by the average user and the sheer number of credentials we’re supposed to remember. But major vulnerabilities have been found in LastPass—opening the door to a full remote compromise for its users.

Independent security researcher Tavis Ormandy said that the zero-day flaw can be exploited using a drive-by technique with a malicious website. If successful, the attacker gains the digital keys to the kingdom—all of the credentials that the user has stored for online services.

“Are people really using this lastpass [sic] thing?” Ormandy tweeted. “I took a quick look and can see a bunch of obvious critical problems.”

One Ormandy Twitter follower responded, “I’m perplexed anyone uses an online service to store passwords”—to which Ormandy responded, “Yeah, me too.”

Read more at
http://www.infosecurity-magazine.com/news/major-lastpass-flaw-compromises/

BlackHatAh, the irony: As the security community gears up for Black Hat USA 2016, a flaw in the official conference app enables attackers to become anyone or spy on attendees.

Conference attendees can install the app on their mobile devices to browse the conference’s agenda, get exhibitor info, message attendees, schedule events they will attend and participate in a conference-wide Twitter-like activity feed. According to Lookout Security, a flaw opens the door to attendee impersonation—so users should be cautious of any activity or messages that are posted or received within the app.

“While investigating both the iOS and Android versions of the Black Hat USA 2016 app, we discovered that a user could register using any email address they want (as long as it hasn’t already been used to register with the app previously),” explained Lookout researcher Andrew Blaich, in a blog. “This includes any email address, whether or not the person signing up owns the email address. It doesn’t even matter if the email address exists at all.” Further, to log in, the Black Hat app does not require confirmation; the user is immediately logged into the app after typing in any email address.

Read more at
http://www.infosecurity-magazine.com/news/official-black-hat-usa-app-allows/

US-Homeland-SecurityThe U.S. Department of Homeland Security (DHS) has published guidelines on when, how and to which government agency US organizations should report cyber incidents. This follows last week’s release of Presidential Policy Directive 41 (PPD-41) on United States Cyber Incident Coordination — which specifically requires the DHS to ‘maintain and update’ such a fact sheet.

The fact sheet (PDF) makes no mention of PPD-41’s Incident Severity Schema. That schema defined six levels (0-5) that provide a common framework for evaluating incident severity; and according to PPD-41, government agencies should get involved from level 3 upwards.

The DHS guidelines first define a cyber incident (“an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems”), and then define whether the severity of the incident warrants reporting. “Victims,” it explains, “are encouraged to report all cyber incidents that result in significant loss; impact a large number of victims; indicate a compromise of critical IT systems; affect the critical infrastructure; or impact national security, economic security, or public health and safety. Fundamentally, it remains a value judgment by the affected organization.

Read more at
http://www.securityweek.com/dhs-details-cyber-incident-reporting-process

Riffle-Online-Anonymous-Proxy-ToolOnline privacy is an Internet buzzword nowadays. If you are also concerned about the privacy of your web surfing, the most efficient way is to use TOR – a free software that lets users communicate anonymously by hiding their actual location from snoopers. Although TOR is a great anonymous network, it has some limitations that could still allow a motivated hacker to compromise the anonymity of legions of users, including dark web criminals as well as privacy-minded innocents. Moreover, TOR (The Onion Network) has likely been targeted by the FBI to arrest criminals, including the alleged Silk Road 2 lieutenant Brian Richard Farrell, who was arrested in January 2014. Even the TOR Project accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to disclose a technique that could help the agency unmask TOR users and reveal their IP addresses as part of a criminal investigation. So, what’s next? Is there an alternative?
Well, most probably, YES.

Read more at
http://thehackernews.com/2016/07/riffle-anonymous-proxy.html

DARPA-Cyber-Grand-Challenge-2016Why we can’t detect all security loopholes and patch them before hackers exploit them?
Because… we know that humans are too slow at finding and fixing security bugs, which is why vulnerabilities like Heartbleed, POODLE and GHOST remained undetected for decades and rendered almost half of the Internet vulnerable to theft by the time patches were rolled out.
Now to solve this hurdle, DARPA has come up with an idea: To build a smart Artificial Intelligence System that will automatically detect and even patch security flaws in a system. Isn’t it a revolutionary idea for Internet Security?

The Defense Advanced Research Projects Agency (DARPA) has selected seven teams of finalists who will face off in a historic battle, as each tries to defend themselves and find out flaws without any human control. The DARPA Cyber Grand Challenge will be held at the annual DEF CON hacking conference in Las Vegas next month.

Read more at
http://thehackernews.com/2016/07/hacking-artificial-intelligence.html